Tuesday, 31 January 2017
ICO: Data Security Includes Transport of Records to New Jobs
We typically think of data security as pertaining only to online data that might be accessed through hacked networks. But it turns out there's more to it, as evidenced by the recent prosecution of a woman who was charged with e-mailing herself contact information on more than 100 clients as she moved to another job.
According to ICO Head of Enforcement Steve Eckersley, it is against the law to take "personal information when you change jobs for your own benefit or [the] benefit of the [new] company." This includes contact information that would enable a worker to stay in touch with clients.
The ICO reports that Rebecca Gray pleaded guilty on 18 January (2017) to a violation of section 55 of the Data Protection Act. Her penalty included a £200 fine, £214 in prosecution costs, and a £30 victim surcharge. She maintained that her intent was never to cause harm, but Ms Gray still lost her job as a result of her actions.
The Data Protection Act of 1998 is very specific about what kinds of data must be protected by employers and others. While it may seem a bit severe that Ms Gray was prosecuted for her decision to keep the customer contact information, there is a very good reason why her actions constitute an offence under the law.
Contact information consisting of just a name and physical address is enough for a creative hacker to steal a person's identity. It doesn't take much in a day and age when so much information about so many of us is stored online. The most successful identity thieves need but a crack to get in the door. Therefore, all personal data must be protected at all costs.
The idea of privacy needs to be considered here as well. Ms Gray was part of the recruiting industry before losing her job. It is possible that clients she worked with via her former employer don't want to be contacted by her on behalf of a new agency. Some might even be surprised to receive contacts from Gray through her new employer, leading to concerns about their own privacy and security.
In the end, the advice offered by Eckersley is sound. In an official ICO news release Eckersley said:
"We're asking people to stop and think about the consequences before taking information. Most people know it's wrong, but they don't seem to realise it's a criminal offence and that they could end up in court and also lose their job. What people think is a minor mistake can lead to job loss, a day in court and a fine."
We are confident that Ms Gray has learned her lesson and will not repeat her previous actions. In the meantime, we urge our readers to remind their employees of their legal responsibilities under the Data Protection Act. Data collected for your business purposes must remain with your business when employees leave.
Source: ICO – https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/01/ico-warns-people-it-s-against-the-law-to-take-clients-personal-information-to-a-new-company/